• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    Different modes of regulation and / or integration of avionics type systems with non-avionic or open type systems are described. Developments of the invention describe, in particular, different methods of data synchronization via a sharing space, modalities for modifying the data, human-machine interactions, steps for optimizing the calculations and the bandwidth, determination of the data. alerts about risks associated with computing differences, and mechanisms for securing secure storage space. Aspects of software and system are described (E.F.B. and F.M.S.)
    公开号:FR3067803A1
    申请号:FR1700650
    申请日:2017-06-16
    公开日:2018-12-21
    发明作者:Gilles BLANC;Laurent CASTET;Renaud ERBA;Orvain
    申请人:Thales SA;
    IPC主号:
    专利说明:

    SYNCHRONIZATION OF A DUAL AVIONIC AND NONAVIONIC SYSTEM
    Field of the invention
    The invention is situated in the technical field of on-board systems, and more particularly in the technical field of flight management systems, of avionics type (eg “Flight Management System”, FMS) or nonavionics (eg “Electronic Flight Bag”, EFB).
    State of the art
    The term "avionics world" refers to certified avionics systems that provide development guarantees.
    The so-called "non-avionics" or "open" world opposes, complements and interacts with this avionics world. It designates in particular electronic flight bags or other tablets and calculators, located on the ground or on board the aircraft.
    As soon as there is the possibility of putting a calculation system which deals with the elements of flight outside of avionics (ie in the open world, eg by EFBs), there can arise several specific technical problems . There may in particular be a technical problem relating to the communication and updating of this system with respect to the flight management system in avionics, and vice versa.
    This update, that is to say this interaction (two-way communication) between the two types of equipment can pose critical problems in terms of security and / or safety, in particular in terms of equipment certification and opening up to other systems interconnected to the Internet.
    In addition, the accelerated development of tools such as EFBs (for example in terms of computing capacities, flexibility or reliability) makes more and more urgent the development of advanced management methods for these interactions. Communication between the two worlds must overcome a number of difficulties, provide specific guarantees, protections and precautions.
    In existing systems, EFBs and their applications are generally not connected to avionics. The crew is therefore forced to do a double job, since they have to analyze the results in the open world and manually report the elements that are usable and useful in avionics systems. The contribution of EFBs and their applications may therefore have an effect contrary to the expected effect, which is to help the crew and reduce their workload.
    Patent literature rarely addresses the above technical problems, and does not give satisfactory solutions.
    For example, patent document FR3029619 entitled “MANAGEMENT SYSTEM, IN PARTICULAR FLIGHT MANAGEMENT SYSTEM, FOR AN AIRCRAFT” discloses a management system which includes an avionics core, implementing so-called generic aircraft management functionalities and the provision of services linked at least to these generic functionalities, at least one remote functionality (F1, F2, Fn) in an open world part (4), called remote functionality, performing an interface function between the avionics core and open world type applications (AP1, AP2, APm) which need to communicate with the avionics core, ensuring homogeneity and consistency of the data exchanged and guaranteeing the integrity and security of data exchanges, and an interface 'exchanges between the avionics core and the open world functionality (F1, F2, Fn), supporting data exchanges. This approach has limitations. In particular, data updates on both sides are not managed, nor are security and safety considerations addressed.
    Some approaches such as that described in US9583008 provide for extended FMS systems, for example an FMS distributed by construction over the two avionics and open worlds, that is to say requiring a FMS system modified with respect to the 'existing. This approach is limited in that it prohibits the reuse of unmodified FMS.
    There is a need for methods and systems allowing controlled interactions (e.g. secure and / or safe) between avionic systems and non-avionic systems.
    Summary of the invention
    Different methods of regulating and / or integrating avionic type systems with non-avionic or open type systems are described. Developments of the invention describe in particular different methods of synchronizing data via a sharing space, methods of modifying data, human-machine interactions, steps for optimizing calculations and bandwidth, for determining alerts concerning risks associated with differences in calculation, and mechanisms to secure the secure storage space. Software and system aspects are described (E.F.B. and F.M.S.)
    Advantageously, the connection or the connection between the two worlds makes it possible to preserve or guarantee the criteria required in terms of aeronautical security and safety.
    In one embodiment, one-way communication from the avionics to the open world can be established (data is "escaped" from certified systems to open systems for processing).
    In one embodiment, a two-way communication can be established (the data of the certified systems handled by the open systems are fed back into the avionic systems).
    This two-way interaction advantageously allows access to numerous sources of data in the open world which greatly increase the assistance available for flight control. The open world is not constrained in terms of resource (computing power, memory), and technological evolution (access to all the latest developments at all times) due to the least certification constraints. The usability of man-machine interfaces in the open world is finally generally superior (eg accessible, robust, unambiguous, etc.) to the user interfaces in force in avionics (at least they correspond to practices generalized in consumer computing).
    Advantageously, the methods and systems according to the invention make it possible to “deport” to the open world a large number of avionic type functions then to reimport the results or the data manipulated and enriched in avionics.
    In one embodiment, the import or re-import of data, data on the data (metadata), functions or programs (data modifying data) can be checked, checked or modified by the pilot (open loop ). The communication or synchronization is then "asymmetrical", in the sense that the data of the mission managed in the avionics cannot be replaced without the agreement of the pilot.
    In other embodiments (closed loop type), the interactions between open world and avionics are carried out in an integrated manner (e.g. safe and / or secure).
    Advantageously, certain embodiments make it possible to conduct transparent communication between the two worlds, while preserving the avionic world from the alterations that communication with the open world can bring. In one embodiment, the pilot does not intervene in the interaction (for example synchronization) of the two types of system except for operations related to security.
    Advantageously, in connection with the use of modern and evolving tools from the open world, the methods and systems according to the invention allow quantitative and / or qualitative improvements in the flight (eg in terms of performance, operational costs eg fuel consumption , predictability and reliability of the mission), a reduced workload for the pilot and therefore better management of the cognitive load of the latter, as well as positive impacts in terms of aviation safety and security.
    According to an advantageous embodiment, the man-machine interface deployed in the cockpit comprises a page and / or a command dedicated to the verification and / or acceptance and / or modification of data from the non-avionic open world in the management of the mission managed in avionics.
    Advantageously, the invention can be implemented in contemporary aircraft comprising latest or new generation FMS flight management systems. These FMS flight management systems, for example “Open Capacity” type FMS offer by default communication links with non-avionics systems. These communication links can be used by the invention. Older-generation FMS can be addressed in different ways, including through existing communication links (data link, detailed ground-to-shore links below).
    Advantageously according to the invention, trajectories and predictions of the flight plan can be calculated in the open world, therefore more quickly (and this reliably).
    Advantageously according to the invention, the use of a buffer storage space between the open world and the avionic world makes it possible to globally and / or punctually reduce the amount of data to be exchanged, and consequently makes it possible to speed up the calculations (while remaining reliable).
    In one embodiment, calculation libraries executed in the open world make it possible to determine the missing parts (data, functions, calculation results) for processing by the avionics. Sophisticated synchronization mechanisms can be implemented due to the existence of storage space.
    In certain embodiments, the synchronization of the data between the two worlds may be incomplete, and may therefore result in additional work generated for the pilot (who must complete the synchronization). This step of verifying, completing or manually modifying the synchronization is detectable because it is visible on the screen.
    In certain advantageous embodiments, "patterns" or patterns or diagrams or data exchange templates can be used and can optimize the bandwidth (relieving the bandwidth on the side of the avionics network, which can be limited).
    In some advantageous embodiments, data compression techniques can be used to further minimize the size of the data synchronized over the avionics network.
    Advantageously according to the invention, the perimeter of the avionic functions (functional perimeter) can be extended by the functions of the open world.
    Advantageously according to the invention, the synchronization between the two types of system can be controlled and / or optimized by minimizing the risks relating to aeronautical safety and / or security.
    Advantageously according to the invention, data from the non-avionics world (potentially rich, e.g. diverse and varied) can be adapted (e.g. detected, formatted, modified, selected) and then taken into account in the avionics field. This adaptation can also be contextual, i.e. carried out according to the flight context (e.g. flight phase, flight event, constraint or operational objective, etc.).
    Advantageously, the embodiments of the invention allow synchronization between two types of systems (associated with different security and / or safety characteristics). Communications can be client / server type. In one embodiment, the synchronization can be qualified as asymmetrical, by privileging the integrity and the verification of the data of the avionic world.
    Advantageously, the pilot's (cognitive) load is reduced or minimized. Any action on one side or the other (avionics versus non-avionics) need only be done in one place.
    Advantageously, the secure and / or reliable storage space makes it possible to ensure data validation and control / validation of what is injected into the operational mission of the avionics world.
    Description of the figures
    Other characteristics and advantages of the invention will become apparent with the aid of the description which follows and from the figures of the appended drawings in which:
    Figure 1 illustrates the overall technical environment of the invention;
    FIG. 2 schematically shows in general the integration or the interactions between the system (s) avionics (s) and non-avionics (s) 122;
    FIG. 3 illustrates a specific regulation mode according to an advantageous embodiment of the invention;
    Figure 4 illustrates other examples of embodiments of the invention;
    FIG. 5 illustrates examples of steps of the method according to an embodiment of the invention.
    Detailed description of the invention
    An aircraft within the meaning of the invention is a means of transport capable of evolving within the Earth's atmosphere. For example, an aircraft can be an airplane or a helicopter (or even a drone). By extension, the embodiments of the invention are applicable to any type of land, naval, air, aerospace transport (optimization of orbital paths).
    The invention describes different interactions between one or more avionic type systems and one or more non-avionic type systems. The two types of systems are technical systems. Avionics systems are systems that meet specific requirements, particularly technical, as published by aeronautical regulations.
    An “avionics system” (or “avionics type system”) is a system having specific technical characteristics in comparison with a “non-avionics” system (or “non-avionics type system” or “open world”), these technical characteristics being administratively certified by a trusted authority (in this case the aeronautical regulator). Technically, delegations of authorities may allow management of a technical nature from this administrative type in the future (e.g. crypto ledgers).
    Concerning the distinctive technical characteristics of an avionics system, a system - generally, ie avionics or non-avionics - can present or be associated with a predefined failure rate (among a range of predefined failure rates), a rate of failure including or determining a predefined execution error rate. In one embodiment, the failure rate of an avionic type system is lower than the failure rate of a non-avionic type system. In one embodiment, the failure rate of an avionics system is significantly or substantially lower than that of a non-avionics system.
    An avionics system designates a reliable system (or one with guaranteed reliability). It is a system whose failure has consequences that exceed accepted or acceptable limits, and therefore feared. A failure can be characterized by the loss of the considered function, or by the production of erroneous data, with or without detection of an error. Depending on the level of criticality of the feared consequences, the probability of occurrence must be kept below an acceptability threshold. Thus, the more critical the consequence, the lower the probability of acceptable occurrence. For example, in aeronautics, a catastrophic event (multiple deaths) should have a probability of occurrence less than 10 Λ -9 per flight hour, while a major incident (reduction of safety margins and operational capacities, discomfort or minor injuries) should have a probability of occurrence less than 10 Λ -5 per hour flown. To ensure these objectives, the architecture of the avionics system (made more reliable) as well as the design of each component guarantee this probability of occurrence by guarantees of failure rate of each equipment (physical failures) and levels of verification (functional coverage and structural test) software.
    These requirements impose a significant design and verification effort, and impose a limitation in the complexity of the treatments implemented.
    Conversely, the failure of a system which is not reliable, or whose reliability is not guaranteed (non-avionics system) has consequences deemed tolerable, non-critical, or even without significant operational impact. The requirements on architecture, physical components or software processing are therefore lower, and allow more complex processing, and a reduced development and verification effort compared to a reliable system.
    In order to use during flight operations data from an unreliable computer, since the reliability of the data is not guaranteed (or guaranteed with an error rate lower than the requirements of the reliable system), it is advantageous to use the method according to the invention. The steps of the process make it possible in particular to ensure that no erroneous data is used operationally by the reliable system. The steps can include verification by the human operator, following manual entry or automatic transmission, or various means of verifying the data transmitted. In certain embodiments, it is also possible to have steps for calculating or checking the consistency of the data of the non-avionic system made by the world of the avionic system (for example, it can be verified that a trajectory is constructed with known points and that it flyable). The failure of a system can be understood in a deterministic way but also in a probabilistic way.
    In one embodiment, an additional completeness criterion allows nuance of the failure rate criterion. This completeness criterion designates the coverage of tests (excitations, challenges without necessarily a known response) and / or checks (eg comparison of the response produced with that which is known and expected) which have been previously carried out on the avionics system or non-avionics system in determining the failure rate. In one embodiment, the exhaustiveness of the tests and / or verifications carried out is greater in an avionics system compared to a non-avionics system.
    In one embodiment, in addition to the overall failure rate of the avionics system or non-avionics system, the failure rates specific to the components of the avionics system or non-avionics system can be taken into account, as well as the propagation of the failures.
    Different embodiments of the invention describe different types of exchanges (eg functional and dynamic data exchange), different protections (eg security mechanisms, dedicated spaces, etc.) and different examples of synchronization mechanisms which can be implemented. so that the two worlds are as synchronized as possible. In one embodiment, a main reference is preserved in the avionics.
    The term "consult" refers to data or calculations from avionics. The term “modify” generally refers to a piece of data offered by the open world in its “sandbox”. The term “inject” designates an exchange from the open world or from its “sandbox” to mission data managed by the avionics system.
    Data synchronization concerns all types of data (flight plan, but also data from the navigation database, aircraft states (example flight phase) and commands (example: waypoint insert) / Different types of objects are calculated, communicated and compared, on both sides (avionics versus non-avionics). For the consultation part, these objects notably include navigation databases (permanent and user), magnetic variation databases, static characteristics of the aircraft, elements of the aircraft performance database, the states of the avionics system, the flight plan data, the trajectory data and the prediction data. objects include user navigation databases and flight plan data. For the injection part, objects include user navigation databases and t flight plan data.
    Figure 1 illustrates the overall technical environment of the invention.
    An aircraft 110 is a means of transport capable of evolving within the Earth's atmosphere. For example, an aircraft can be an airplane or a helicopter (or even a drone). The aircraft includes a cockpit or a cockpit 120. Within the cockpit are piloting equipment 121 (called avionics equipment, certified by the aeronautical regulator) and optional equipment (called non-avionics or "open world") .
    The avionics equipment 121 (hereinafter "the avionics") for example comprises one or more on-board computers (means of calculation, memorization and storage of data), including a flight management system ("Flight Management System" , acronym FMS), man-machine interface means, such as display means (eg screens incorporated into avionics equipment) and / or data entry (eg keyboards, buttons, cursors, rotators, etc.), means of communication or haptic feedback. By extension, the avionics systems can include systems accessible remotely, for example air traffic control 100 and / or operational center, which can be in communication (bilateral) via the ground-edge links. Furthermore, the air traffic control systems 1001 and / or of the operational center can access (eg receive, collect, select, cross, determine) sources of open type data (eg meteorological data of non-regulatory type), for example accessible from the Internet and whose coverage and depth covers the entire flight of the aircraft.
    Non-avionic systems 122 designate on-board or ground devices which can, for example, include one or more computer tablets or EFBs (“Electronic Flight Bag” for electronic schoolbag), portable or integrated in the cockpit, display means ( eg additional screens, connected glasses, heads-up sights, projectors, holographic systems, virtual and / or augmented reality headsets called "wearable computers" or "head-mounted displays", etc.), as well as means interaction (eg laser projection keyboards, unfoldable, unrollable; haptic systems, force feedback, mechanical, pneumatic, electric; dictation or voice recognition means with noise cancellation, etc.).
    A non-avionic EFB is sometimes referred to or described as “open (world)” type equipment as opposed to “avionic” type equipment (certified by the regulator). An EFB can interact (unidirectional or bilateral communication 123) with the avionics equipment 121. The EFB can also be in communication 124 with external IT resources, accessible by the network (for example cloud computing or Cloud computing 125. In particular, the calculations can be carried out locally on the EFB or in a partial or total way in the means of calculation accessible via or by or in the network.
    The on-board equipment 121 is generally certified and regulated while the EFB 122 and the connected IT means 125 are generally not (or to a lesser extent). According to the embodiments (types of integration), the architectures that can be implemented make it possible to inject flexibility and functional capacities on the side of the open world (eg via the EFB 122) while ensuring security ( on the avionics side 121.
    FIG. 2 schematically shows in general terms the integration or interactions between the avionic system (s) 121 and the non-avionic system (s) 122.
    The regulation 210 of the interactions between the avionic systems 121 and non-avionic type systems 122 can be done, i.e. via data exchange management rules, implemented on both sides. Regulation 210 can also take the form of a dedicated regulatory body or entity. In certain embodiments, the pilot 200 can control 211 (modify, influence, regulate, stop, initiate, initialize, etc.; directly or indirectly) the exchanges between the systems 121 and 122 (e.g. in kind, volume, quality, etc.). The pilot can in particular use one or more human-machine interfaces. The regulatory rules may in particular result from the intervention of man and / or the machine (therefore in particular result from joint man and machine decisions).
    Generally, the methods of communication between the two types of avionic system and non-avionic system cover various aspects or parameters:
    a) directionality; communication between the two types of system (e.g. data flow, message passing, etc.) can be one-way or two-way. This directionality property can be static (invariant or course of time) but can also change over time (according to predefined time intervals and / or according to predefined events, for example according to the phase or context of flight. For example , the communication can be bidirectional when the aircraft is on the ground at its boarding gate, and unidirectional when taxiing. In this example, when the aircraft is on the ground, any modification proposed by the non-avionics system to the avionics system can be checked, and, if it was wrong, it would not decrease safety insofar as this modification could still be modified and corrected. As soon as taxiing and in flight, communication takes place initially only from the avionics system towards the non-avionics system, any data produced by the non-avionics system that cannot be automatically transferred to the avionics system.
    b) form (e.g. data format, type of protocols, translation / bridging, etc.). For example, a WIFI or wired Ethernet protocol may be the most optimized on the ground (given the large volume that can be exchanged on the ground to initialize the mission) while a more secure protocol with lower speed may be preferable in flight , taking into account on-board communications architectures (AEEC ARINC 653) which may require guaranteeing bandwidth and integrity for all critical computers and can therefore de facto limit the speed and the type of data exchanged with the nonavionic system .
    c) background (quality e.g. nature of the objects communicated e.g. flight plan points or 3D trajectory, etc.; data on the data i.e. metadata; raw or static data; executable data i.e. programs). A nonavionic system, in addition to the flight plans, can be the receptacle of numerous rich data of which only a part will be exploited by the avionic system: aeronautical maps, geographic maps of maximum resolution, complete weather maps. The avionics system can use a subset of the data, filtered for its needs (for example filtering along the flight plan, filtering the resolution adapted to its memory limitations, to its computing power limitations, etc.).
    d) quantity (or volumes). A non-avionics system can use rich data (there is no real limitation in terms of processor, memory and storage; powerful multi-core processors can be used, while avionics system computers have a hardware architecture very robust but much more limited to guarantee the testability of the required performance, for example with properties of resistance to high energy particle events during flight (SEU, NSEU), resistance to vibration or to extreme temperatures. avionics generally have significantly less power than nonavionics computers.
    e) privileges or priorities (eg global priorities can be allocated; for example the "master" avionics system will be associated with a priority at all times higher than the "slave" non-avionics system; "administrator" or "read / write" privileges writing ”will be allocated to the different parties, for example in terms of access, reading and / or writing in one or the other type of system.
    The regulation of data exchanges can govern each of these aspects differently and combine them in a particular way. Depending on the embodiments, it will be obtained from master / slave systems (scalable or not) or from peer-to-peer networks (scalable or not), comprising various and varied feedbacks (e.g. feedforward, etc.)
    The reference to human-machine interfaces designates a diverse set of equipment. The display devices can include or implement one or more sophisticated devices such as virtual reality headsets and / or augmented reality glasses (eg head-mounted display, wearable computer, glasses or a head-mounted display) and / or projection devices (eg holographic). A virtual reality headset worn by the pilot can be opaque or semi-transparent or with configurable transparency). The display can be "high sight". The helmet can include one or more calculation and communication, projection, audio acquisition, projection and / or video acquisition devices (for example for the capture or scraping of data accessible analogically from the cockpit or the flight deck of the aircraft). The helicopter cockpit may also include voice control devices. The on-board instrumentation can advantageously allow the pilot to view his flight plan plan or his trajectory in 3D, in particular the different waypoints according to the invention. For example, the pilot will be able to visualize - for example superimposed on his real environment - the different approaches of the target platform, the trajectory rejoins when these are still possible (switch from one type of approach to another). The safety distance can be viewed by graphic envelopes (cones, volume polyhedra, virtual walls, virtual corridors, etc.), as well as local parameters (for example wind speed, real measurements by laser wind anemometry or local turbulence, or numerical simulations of these.
    Finally, haptic feedback devices incorporated in the system for the implementation of the invention can enrich guidance / piloting (specific vibrations when effectively crossing a crossing point, etc.).
    Regarding the display, the information can be displayed in one or more virtual and / or augmented reality headphones. The information can therefore be entirely virtual (displayed in an individual helmet), entirely real (for example projected on the flat surfaces available in the real environment of the helicopter cockpit) or a combination of the two (partly a superimposed virtual display or merged with reality and partly an actual display via projectors). The display can also be characterized by the application of predefined location rules and display rules. For example, human-machine interfaces (or information) can be distributed (segmented into separate portions, possibly partially redundant, then distributed) between the different virtual or real screens.
    In one embodiment, the avionics system and the non-avionics system use entirely separate physical physical supports (processor, memories, etc.) (e.g. mutually exclusive). For example, avionics system and non-avionics system interact via data links (logical nature)
    In one embodiment, the functions are distributed between the avionics and non-avionics systems. In one embodiment, a secure communication device can make the link between the two types of systems. The transport of data can for example be of IP or secure IP nature. In this mode, the avionics system and the non-avionics system exchange commands and data, but the completeness of the data in the two worlds is ensured by an independent calculation in each system.
    A non-avionics system can make significantly more calculations thanks to memory and CPU resources of a higher order than that of the avionics system. A non-avionics system can therefore perform dichotomy calculations until approaching an optimal solution which will be refined and confirmed by the avionics system world by optimally using the much less abundant resources in this type of system. Furthermore, the physical physical media of non-avionics systems evolve much faster than avionics systems.
    In one embodiment, the avionics system and the non-avionics system share a portion of the hardware resources (processor, memories, etc.). For example, at least one memory unit is accessible both by the avionics system and by the non-avionics system. In one embodiment, part of the resources of the avionics system can be dedicated to the non-avionics system in order to be able to have the avionics system calculate and verify calculation hypotheses developed / constructed in the non-avionics system world. The properties of the avionics system can thus be exported to the non-avionics system. Although available for the non-avionics system, these avionics system resources can be protected and their use cannot propagate errors to the rest of the avionics system which would originate requests and data from the non-avionics system world. There is therefore an advantage in using sparingly the avionics resources.
    In one embodiment, an avionics system and a nonavionics system share all of the hardware resources (processor, memories, etc.). Two particular embodiments can be described. For example, an avionics system FMS is fully virtualized on a host machine that hosts both an avionics system and a non-avionics system. In one embodiment, the hardware platform of the non-avionics system is raised to a certification level equal to that of the avionics system. From an administrative point of view, this constraint is costly in terms of qualification, but advantageously leads to optimization in terms of data transfer from one world to another. In one embodiment, a non-avionics FMS is fully virtualized on the hardware support which (mainly) hosts the avionics system. This embodiment is limited due to the lack of scalability and resources of the hardware supports of the avionics system, but the regulatory constraints can be satisfied.
    In one embodiment, the avionic system and nonavionic system systems are connected by exclusively wired connections, i.e. excluding any interceptable wireless communication. The wired connection of systems can make it more difficult to compromise security attacks (e. Compromises, interceptions or malicious injections made possible in wireless embodiments).
    In one embodiment, the avionic systems and the nonavionic systems are connected by wireless type connections, but secured with sufficient encryption (complex keys renewed more frequently than the minimum cryptanalysis time, the latter being for example evaluated taking into account means available for an aircraft passenger).
    In particular, regulation 210 (in fact or according to a regulatory body) between the avionic system and the non-avionic system - as a critical component at the interface of the two types of system - can be the subject of measures of dedicated security (for example independently of other systems). The security mechanisms can include one or more of the mechanisms including data encryption (for example with asymmetric keys), authentication mechanisms (for example biometric), self-monitoring mechanisms (eg state machine, “watchdog ”), Anti-intrusion mechanisms (eg IDS), continuous verification mechanisms for the integrity of the data handled in the gateway server, sharing of a prior secret, etc.
    In one embodiment, the regulation between the avionic system and the non-avionic system can be approved (or recognized or accepted or authorized) by the non-avionic systems on the one hand and the avionic systems on the other hand, intermittently, regular or on demand.
    The security mechanisms may include one or more mechanisms and / or steps selected from the group comprising a step of controlling the integrity of all or part of the data and / or results (e.g. initial, intermediate, final); a step consisting in authenticating a machine and / or the pilot (e.g. PKI, biometrics, etc.); a step consisting in encrypting all or part of the data; a step consisting in counting the communications or the data or the types of data exchanged between the avionic system and the nonavionic system, a step consisting in classifying normal or abnormal behavior behaviors, etc.
    The integrity check may include a CRC or checksum verification step. Data integrity control can include the use of hash strings (eg blockchain type, for example to guarantee data integrity and / or flight plan revision history. Access to data and to their revisions can be made at any time and by any party ("permissionless ledgers") or according to prior registrations ("permissioned ledgers")
    The encryption can be symmetrical (private key). The encryption can be asymmetric (private key and public key); for example, the avionics system can keep its private key secret to decrypt encrypted communications using its public key by non-avionics systems.
    The counting of exchanges designates the quantitative control of exchanges, which can be differentiated by types of data. For example, the installation of counters can make it possible to constrain (limit, cap, brake, slow down, etc. in a binary, fine-tuned or exponential manner) the number of / mports and / or exports of data between the avionics system and the non-avionics system .
    The regulation of communications between the avionic system and the nonavionic system can be carried out in an open loop, ie requiring human validation, which can mobilize a graphic (visual) rendering for decision-making.
    Authentication may include a plurality of mechanisms taken in combination (eg biometric authentication, by card, by code, or by logical test eg Turing test type captcha in order to ascertain the human origin of the injection decision of data in the avionics system).
    FIG. 3 illustrates a specific regulation mode according to an advantageous embodiment of the invention.
    Data from the open world is communicated 316 to the avionics and is received and stored in a “sandbox” 322 (“sandbox” in English), the content of which is accessible to the pilot 200 and which if necessary validates or authorizes , possibly after modification, the injection of data into the flight management system FMS or mission management 321. The avionics calculates the trajectory in a precise manner and optionally a return loop 316 can communicate the data calculated to the non-avionics system 122.
    In more detail, the arrows 315 and 316 symbolize data communications, for example via calls to functions or services. The data is received (and isolated) in the sandbox 322 (“sandbox”) then communicated securely to the avionics mission module. Communication or data transfer can optionally be modulated or authorized by the pilot 200. In fact, the pilot can validate the synchronized data during the injection into the operational mission. After processing by the avionics system 122, data is supplied in return 316 to the non-avionics system.
    The sandbox 322 can be implemented in a variety of ways. The example in FIG. 3 places this secure storage space in the avionics, but in other embodiments, it can be implemented in other physical and / or logical locations (eg secure USB key, logical partition, Dedicated EFB, server in the Cloud, etc.), the security and integrity of the data being ensured by one or more mechanisms described below.
    In one embodiment, the sandbox 322 is a passive storage space. It plugs in (queuing) the elements calculated by the non-avionic systems and ultimately transmits them to the avionic systems. The gateway server then serves as a buffer between the two types of systems. In one embodiment, the sandbox 322 can order the queue, for example according to the priority associated with the various objects queued, according to the flight context and / or the use of the avionic resources which may be under-requested or over-requested, etc.
    In one embodiment, the sandbox 322 between the avionics system and the non-avionics system is an active storage space, i.e. which adds logical processing to the data received. Sandbox 322 can do one or more of the following: perform its own checks on a route's compliance with avionics criteria, receive instructions from a third-party system, etc. In one embodiment, the sandbox 322 can verify the conformity between the trajectory calculated in avionics and the trajectory resulting from calculation outside avionics.
    In an embodiment illustrated in FIG. 3, the hierarchical dual system (master-slave) comprises a master avionics system and non-avionics slave system. In this context, several interaction modalities (e.g. synchronization mechanisms) are described.
    In one embodiment, there is a partial exchange of data and recalculation on either side to reproduce a functionally equivalent situation. In one embodiment, the master system has specific data (example actual position of the aircraft) which makes it possible to impose the result. Verification of the integrity or viability of the data produced is possible thanks to an aid showing the differences between the two calculations. In one embodiment, this verification is carried out by humans (via an HMI interface). In one embodiment, this verification is carried out by the machine (via a system of logical rules handling quantified facts. In one embodiment, the verification is joint man-machine (eg weighted or not, last word for the pilot or not , etc).
    In one embodiment, there is a complete exchange of data and states of the aircraft. The data of the slave or slave part are replaced in full by the data by the master part. The avionics system imposes its states and its data.
    In one embodiment, additional data exchanges take place with each party (which can assume a master role for certain types of data or objects handled), the other remaining data being recalculated locally by each party. In one embodiment, each party can indeed be specialized, i.e. assume the role of master for certain data and the enslaved role for other data. Some data may be provided by one party or the other (for example, data entered from human-machine interfaces).
    In one embodiment, the integration between systems 121 and systems 122 can be carried out in a discrete manner, ie determined according to predefined time intervals. In one embodiment, each system can receive the same input data, recalculate all the states, predefined time synchronization points (eg periodic or intermittent) and / or performed on demand and / or depending on the occurrence of d 'a predefined event can lead to verifying that the output states of each system remain within a given range (ie that the systems do not diverge. If the systems diverge, the master system can impose its state to resynchronize the slave system.
    In one embodiment, the integration between systems 121 and 122 can be carried out continuously or almost continuously, eg the results of intermediate calculations are compared (and no longer the final results, as in the embodiments described above). before). Advantageously, a possible divergence of the systems will be detected sooner than in the case of a point-in-time integration.
    In one embodiment, the roles between systems 121 and 122 are predefined, asymmetrical and generally invariant over time. In one embodiment, the allocation of roles can be progressive (in whole or in part, e.g. reactively, depending on multiple parameters, etc.).
    In one embodiment, one or more voting mechanisms can make it possible to repudiate or reject on request the planned or current regulation which would be considered as corrupt or risky (for example if at least one of the avionic systems determines it as such, etc.) .
    Figure 4 illustrates other examples of embodiments of the invention.
    In one embodiment, a non-avionic type system may include a flight management calculation library 400. The flight management calculation library 400 designates software code executed on hardware. This logic block, according to the embodiments, can carry out trajectory prediction calculations identical, or functionally equivalent, to those carried out in the avionics system. The calculations carried out reproduce as much as possible the treatments as they will be applied by the avionic system (the software code is structurally identical, possibly recompiled, or it is functionally equivalent). This calculation module can also implement various optimization steps (e.g. heuristics, A-star algorithms, genetic algorithms, algorithms based on potential fields, etc.). Block 233 can also translate or transcribe the outgoing data in a format functionally equivalent to that handled by the avionics system1213.
    In one embodiment, the avionics FMS 121 has interfaces provided for communication to third-party systems (FMS called "Open Capacity"). If necessary, the flight management calculation can be made available by the FMS NG flight management system and its "Open Capacity" capacity.
    In one embodiment, the calculation module 400 can perform search and optimization steps, transcription steps (adaptation, translation, etc.) in the avionics route, which can lead to trajectory calculations and predictions. The trajectories produced are finally manipulated in the comparator (possibly secured 231).
    Materially, the computer 233 can be implemented on a tablet or laptop (or on any other means of calculation external to the avionics, for example via remote accesses) making it possible to determine (eg search, evaluate, select, etc.) alternative routes .
    In one embodiment, the exchanges between the systems 121 and 122 (these exchanges can be designated by the term “synchronization”) continue as follows: the avionics 121 performs calculations and communicates them 316 to the open system 122 or 400 which mobilizes redundant but also potentially complementary calculations (for example by crossing information with data of non-avionic origin with more extensive coverage); the open system 122 or 400 can also multiply the calculations, e.g. conduct in parallel the analysis of very many variants of the pivot calculation or at least initial analysis carried out by avionics. The open system (s) communicate 315 the result of the calculations, for example an optimized one, to the sandbox 322, which is designed to act as a buffer before the effective reinjection of the data. The sandbox can be represented as a security or decontamination or quarantine airlock (as a passive buffer it can be sophisticated in a contained space incorporating a battery of logical tests, integrity verification and / or compliance which can in particular be compartmentalized, eg carried out independently of other entities present in the architecture, etc.
    In an open loop embodiment, the pilot controls 211 and can modify the data, which results in "completing" the synchronization between the two types of systems.
    In a closed-loop embodiment, the pilot does not intervene because his decision criteria have been modeled, quantified by means of logical rules and objective or objectifiable facts.
    In a semi-open embodiment, the feedback loops are generally closed but the pilot retains the possibility of intervening on request (for example, it can be maintained a visualization of the data flows, on the one hand avionics and on the other hand modified by the open world, leaving the opportunity to the pilot to intervene as super-regulator when he wishes).
    Once validated (unmodified or modified by humans and / or machines), the data is fed back 321 into the avionics 121.
    In one embodiment, the data or parts of data (i.e. the modifications) are tagged as such. In other words, in certain embodiments, data on the data (or metadata) are produced and stored within the avionics, which advantageously allows a certain traceability of the couples (modifications introduced - consequences measured subsequently).
    In certain embodiments, tasks of increasingly higher and higher level being allocated to the pilot (routine tasks being automated), various mechanisms, for example of security, of test, of verification or of visualizations, conducted locally on predefined aspects (checkpoints, divergences, etc.) can be used to supervise overall integration. Aspects of the regulation can in particular be evolving and in particular can be programmed to depend on the flight phases. Certain critical flight phases indeed require the active and complete control of the pilot while others can be satisfied with less sustained attention.
    FIG. 5 illustrates examples of steps of the method according to an embodiment of the invention.
    In one embodiment, a method of managing flight data of an aircraft is described, implemented in a system comprising an avionic type system 121 and a non-avionic type system 122, the method comprising the steps consisting to: determine flight data in the non-avionics system 122; storing 510 said data in a storage space; determining corresponding flight data in the avionics system 121; compare 520 the data determined on the one hand by the avionic system and on the other hand by the non-avionic system according to a predefined time diagram 580.
    In one embodiment, the system according to the invention comprises an avionic type system and a non-avionic type system. Data exchange ("synchronization") is done by data exchange.
    In one embodiment, the avionics and non-avionics systems calculate the different avionics objects on both sides (for example an alternative route or trajectory, a diversion, etc.).
    These calculations may overlap, in whole or in part. Generally non-avionic calculations, resulting from more optimized calculations and in particular using data with wider coverage, can supplement the avionic calculations.
    The data calculated on both sides is compared 520 within a shared storage space. The term "correspondent" means that the same objects (routes, trajectories, flight parameters, etc.) are manipulated on both sides.
    The temporary storage space 322 can be a "private" space within the avionics and dedicated to the open world. In one embodiment, the temporary storage space is a “sandbox” which allows the open world to be able to propose, modify, have data calculated in the avionics world before injecting them into the mission managed by avionics.
    In one embodiment, comparison mechanisms 520 monitor developments on both sides. In certain embodiments, differences may indeed persist between the calculations carried out on the side of the open world on the one hand and of the avionics world on the other hand. For example, the pilot may mistakenly think that the aircraft is being guided on a modified flight plan, while the corresponding modification was only made on the open world side (and may be lost to the pilot).
    Comparisons can be made according to the 580 time diagrams continuously, intermittently, at regular or irregular intervals (e.g. according to events during the course of the flight).
    In one embodiment, the avionics storage space is implemented in the avionics system. In this embodiment, the storage space is shared, therefore accessible to both types of systems, but advantageously inherits the reliability characteristics (physical failure rate and logical verification level) associated with avionic type systems (the degree of which reliability is higher than that associated with a non-avionics type system).
    In one embodiment, the avionics storage space is implemented in a reliable non-avionic type system, the physical failure rate and the logical verification of which are respectively lower and higher than those of a non-avionic type system. . In one embodiment, an intermediate system can be used. If an existing FMS flight management system cannot be modified to integrate the storage space, a reliable system can be used.
    In one embodiment, the method further comprises the steps of detecting the presence of predefined critical data in the data determined on the one hand by the avionics system and on the other hand by the non-avionics system; compare this critical data; display critical data that differs via the human-machine interface.
    “Objects” ie one or more “critical” (or “essential”) data can indeed be predefined.
    A critical (or essential) object may be associated with a systemic risk. A risk qualified as “systemic” implies that there is a probability (not only non-zero, i.e. non-negligible compared to predefined acceptance thresholds) of major malfunctions, affecting aeronautical safety and / or security. Even a small local event can have catastrophic global consequences. Certain objects can cause, directly or risk indirectly, "systemic" risks.
    In mathematics, the value taken by a function at a critical point is called a critical value. A critical point serves as an intermediary for finding the extremum of a function. In IT, a critical system is a system whose failure can have serious consequences, including breakdowns or significant material damage (with an impact on the flight safety of the aircraft). The notion of criticality also introduces a quantification of this critical character by associating it with different stages or stages or attributes or levels.
    In one embodiment, an object can therefore be associated with metadata translating level of local and / or global risk, which can be quantified or discretized.
    Risks can be thresholded (the criticality of an object can be determined in excess of a threshold or a range of predefined thresholds)
    These critical or essential objects can be determined in different ways.
    In one embodiment ("bottom up"), the history of differences, modifications and consequences is recorded and data analyzes, executed by hand and therefore predefined "arbitrarily" and / or performed by learning (eg supervised, not supervised, big data, statistical approaches, etc.) determine these objects, which can be described as “critical” or “essential”).
    In one embodiment (“top-down”), said objects are determined a priori. Business expertise, piloting experience or risk analysis can indeed identify particularly risky objects.
    In one embodiment, the critical data is determined in real time. In one embodiment, the essential and / or critical character is calculated de facto: the divergences in the medium and long term are determined and compared. For example, a modification to data concerning a diversion airport in an unfavorable meteorological context combined with a limit fuel level can lead to evaluating that the long-term consequences of said modification exceed an acceptable threshold.
    In one embodiment, the data considered to be critical may be different depending on the flight phase (for example, one piece of data may be critical at one time and not at another).
    In one embodiment, the essential or critical character is determined due to the presence of intrusive data. The concept of intrusion refers to a manifestation of a desire to access reserved or protected physical or logical resources. Some avionics resources are more stressed or more sensitive than others. Modifications that use these resources can be described as intrusive. Protected resources can change over time (time-driven) and / or depending on events (event-driveri).
    In one embodiment, determining the presence of such critical or essential data may trigger an alert. This alert can take the form of a feedback loop with the pilot (in particular via validations via the man-machine interface, which can consist of displays in text mode, so as not to overly complicate the interfaces, up to detailed presentations of the divergences over time.
    In the event of a discrepancy (one or more differences between the critical data), the method may include a step of showing the pilot these differences in order to decide whether the data determined by the nonavionic system can be retained and validated.
    In one embodiment, the method further comprises the step of determining risks 535 associated with the differences between the compared data. Optionally, assistance to the pilot can be offered to identify the differences and / or risks on critical data (for example, data for which systemic effects are known, ie whose cascading effects can reduce safety and / or aviation security).
    In one embodiment, the method further comprises the step of displaying 540 all or part of the differences between the compared data and / or of the risks associated with these differences via a man-machine interface. The pilot can visualize the differences and intervene if necessary. The synchronization of the open world towards the avionics and in particular · the mission space of the avionics dedicated to the pilot can be under manual control of the pilot (at least initially, then possibly under automatic control in the long term). A variety of human-machine interface devices have been previously described.
    In one embodiment, the method further comprises the step of modifying 550 all or part of the data determined in the nonavionic system. The modifications can be made at any time: after the first calculations of the open world and before the comparison, after the comparison, before the insertion of said data (for example for validation purposes), before effective activation (in the flight plan ).
    From the open system to the avionics system, it is possible to add, delete, modify, insert, merge, and replace data. It is possible to show the differences that will be injected. Some confirmations may be optional, others may be required (in particular depending on the type of object). Regarding synchronization from avionics, the data can be replaced in whole or in part. The data that has been inserted can be displayed.
    In one embodiment, the predefined time diagram 580 comprises predefined time intervals, comprising time instants and durations, for comparing and / or modifying the data.
    In one embodiment, the instants of these exchanges and the durations of these exchanges (the frequency or the temporal intervals of synchronization) are done so that a transient desynchronization of the two types of systems does not operationally hamper the pilot (typically the two systems can remain independent for a maximum duration of approximately 5 seconds). In other embodiments, the frequency of the exchanges is much higher and the maximum desynchronization time is less than one second. In other embodiments, caching mechanisms make it possible to endure trade losses over longer periods of time.
    Data exchange (synchronization, in one direction or the other) can be done automatically periodically, automatically on data change, or manually, on action of the pilot. The synchronization mode (automatic or manual) can be different in one direction and in the other. In one embodiment, the automatic mode can be preferred (from avionics to the open world) and the manual mode can be preferred from the open world to avionics.
    The type of exchange pattern offered can in particular be optimized to minimize exchanges on the network. Similarly, data compression steps can make it possible to minimize the size of the data synchronized on the avionic network.
    In one embodiment, the method further comprises the step of receiving an authorization 560 to insert and / or activate 570 in the avionics system the data determined by the non-avionics system and modified if necessary. In one embodiment, the confirmation or authorization may come from the pilot. In one embodiment, the confirmation can come from a third-party system, for example in connection with the man and / or the machine (ATC team, etc.). Finally, the transfer of data from this dedicated space in the open world to the avionics domain is authorized or not by the pilot or co-pilot.
    The pilot can be assisted in this request for authorization to transfer by highlighting the critical data that has changed and / or by verifying that the proposed flight is flyable by the aircraft.
    In one embodiment, the storage space is secured by one or more mechanisms 590 selected from the mechanisms comprising data encryption, data integrity control or authentication mechanisms.
    In one embodiment, one or more steps are triggered or depend on the context of flight 599.
    One or more steps of the method (type of synchronization, nature of the elements synchronized, moments of synchronization, etc.) can in particular be subject to the flight context of the aircraft.
    The flight context at a given time includes all of the actions taken by the pilots (and in particular the effective flight instructions) and the influence of the external environment on the aircraft. A flight context includes for example a situation among predefined or pre-categorized situations associated with data such as the position, the flight phase, the waypoints, the procedure in progress (and others). For example, the aircraft may be in the approach phase for landing, in the take-off phase, in the cruise phase but also in the ascending, descending, etc. stages (a variety of situations may be predefined). Furthermore, the current flight context can be associated with a multitude of attributes or descriptive parameters (current meteorological state, traffic state, pilot status comprising for example a stress level as measured by sensors, etc.). A flight context can therefore also include data, for example filtered by priority and / or based on flight phase data, meteorological problems, avionics parameters, ATC negotiations, flight status anomalies, problems related to traffic and / or relief. Examples of flight context include, for example, contexts such as cruising / no turbulence / nominal pilot stress or else landing phase / turbulence / intense pilot stress. These contexts can be structured according to various models (e.g. hierarchical in tree structure or according to various dependencies, including graphs). Context categories can be defined, in order to summarize the needs in terms of human-computer interaction (e.g. minimum or maximum interaction time, minimum and maximum quantity of words, etc.). There may also remain specific rules in certain contexts, notably emergencies or critical situations. Context categories can be static or dynamic (e.g. configurable).
    The method can be implemented in a system comprising means for determining a flight context of the aircraft, said determination means comprising in particular logic rules, which manipulate values as measured by physical measurement means. In other words, the means of determining the flight context include system or hardware or physical / tangible means and / or logical means (e.g. logical rules, for example predefined). For example, physical means include avionics instrumentation in the literal sense (radars, probes, etc.) which make it possible to establish factual measurements characterizing the flight. Logical rules represent all of the information processing used to interpret (e.g. contextualize) factual measures. Certain values can correspond to several contexts and by correlation and / or calculation and / or simulation, it is possible to decide on candidate contexts, by means of these logical rules. A variety of technologies makes it possible to implement these logical rules (formal logic, fuzzy logic, intuitionist logic, etc.)
    A system is described comprising means for implementing one or more of the steps of the method. In one embodiment, the avionics type system includes an FMS flight management system.
    In a preferred embodiment of the invention, the avionics system is a new generation NG type FMS avionics system communicating via the "Open Capacity" component. This Open Capacity function offers the possibility of using the storage space ("sandbox") according to the invention. The resources of this sandbox storage space are then limited but reserved in terms of CPU, memory space, so as not to hinder the operational mission activity of the pilot. The Open Capacity function provides several types of services, according to several exchange patterns, in particular a) of the request-response type which makes it possible to consult any type of information in the fields mentioned or b) to modify, insert data into the l 'storage space, c) to subscribe to events to be informed of changes in the avionics world. These events can for example indicate what types of data have changed and allow the open world to issue the request for an update of the data and d) to periodically disseminate the main system state changes made in the avionics world. This broadcast is available to anyone who wants to listen to it. There is no need to subscribe. Finally, the Open Capacity function provides the possibility of injecting data arriving from the open world into the operational mission after a pass and recalculating via the storage space.
    In one embodiment, a non-avionics type system comprises an electronic flight bag EFB or a non-avionics man-machine interface.
    In one embodiment, the avionics system is a master system and the non-avionics system is a slave system controlled by the master system.
    In some embodiments, the non-avionics system and the avionics system are equal in terms of privileges (access, read and / or write rights).
    In some embodiments, the avionics system and the nonavionics system do not assume equal roles in terms of privileges (access, read and / or write rights). For example, one or the other system will have higher prerogatives (e.g. depending on the data and / or over time). Either system may have priority (either generally, or for specific functions and / or data). For example, the flight management system could be considered as “the master system” while the non-avionics system could assume the role of a slave system (“slave system”).
    A computer program product is described, said computer program comprising code instructions making it possible to carry out one or more of the steps of the method, when said program is executed on a computer.
    The present invention can be implemented using hardware and / or software elements. It may be available as a computer program product on computer-readable media. The support can be electronic, magnetic, optical or electromagnetic.
    In one embodiment, the method is implemented by computer.
    In one embodiment, the system for implementing the invention comprises a computer-readable storage medium (RAM, ROM, flash memory or another memory technology, for example disk medium or another storage medium non-transient computer-readable) coded with a computer program (that is to say several executable instructions) which, when executed on a processor or several processors, performs the functions of the embodiments described above. As an example of a hardware architecture adapted to implementing the invention, a device may include a communication bus to which a central processing unit or microprocessor (CPU, acronym for "Central Processing Unit" in English) is connected, which processor can be multi-core or many-core ·, a read only memory (ROM, acronym for "Read Only Memory" in English) which may include the programs necessary for the implementation of the invention; a random access memory or cache memory (RAM, acronym for "Random Access Memory" in English) comprising registers suitable for recording variables and parameters created and modified during the execution of the aforementioned programs; and a communication or I / O interface (I / O acronym for "Input / ouput" in English) adapted to transmit and receive data.
    In the case where the invention is implemented on a reprogrammable computing machine (for example an FPGA circuit), the corresponding program (i.e. the sequence of instructions) can be stored in or on a storage medium removable (for example an SD card, or mass storage such as a hard disk eg an SSD) or non-removable, volatile or non-volatile, this storage medium being partially or completely readable by a computer or a processor. The computer-readable medium can be transportable or communicable or mobile or transmissible (i.e. by a 2G, 3G, 4G, Wifi, BLE, fiber optic or other telecommunications network).
    The reference to a computer program which, when executed, performs any of the functions described above, is not limited to an application program running on a single host computer. On the contrary, the terms computer program and software are used here in a general sense to refer to any type of computer code (for example, application software, firmware, microcode, or any other form of computer instruction, such as web services or SOA or via API programming interfaces) which can be used to program one or more processors to implement aspects of the techniques described here. IT resources or resources can in particular be distributed (Cloud computing), possibly with or according to peer-to-peer and / or virtualization technologies. The software code can be executed on any suitable processor (for example, a microprocessor) or processor core or a set of processors, whether provided in a single computing device or distributed among several computing devices (for example example as possibly accessible in the environment of the device). Security technologies (crypto-processors, possibly biometric authentication, encryption, smart card, etc.) can be used.
    In certain embodiments, the various steps of the method can be implemented in whole or in part on the FMS and / or on one or more EFBs (electronic flight bags or bags) and / or tablets and / or airline calculator or of mission.
    权利要求:
    Claims (15)
    [1" id="c-fr-0001]
    claims
    1. Method for managing flight data of an aircraft implemented in a system comprising an avionic type system and a nonavionic type system, the method comprising the steps consisting in:
    - determine flight data in the non-avionics system;
    - store said data in a storage space;
    - determine corresponding flight data in the avionics system;
    - compare the data determined on the one hand by the avionics system and on the other hand by the non-avionics system according to a predefined time diagram.
    [2" id="c-fr-0002]
    2. Method according to claim 1, the avionics storage space being implemented in the avionics system.
    [3" id="c-fr-0003]
    3. Method according to claim 1, the avionics storage space being implemented in a reliable non-avionic type system, the physical failure rate and the logical verification are respectively lower and higher than those of a non-avionic system. -avionique.
    [4" id="c-fr-0004]
    4. The method of claim 1, further comprising the steps of:
    - detect the presence of predefined critical data in the data determined on the one hand by the avionics system and on the other hand by the non-avionics system;
    - compare this critical data;
    - display critical data that differs via the human-machine interface.
    [5" id="c-fr-0005]
    5. The method of claim 1, further comprising the step of determining risks associated with differences between the compared data.
    [6" id="c-fr-0006]
    6. The method of claim 1, further comprising the step of displaying all or part of the differences between the compared data and / or risks associated with these differences via a man-machine interface.
    [7" id="c-fr-0007]
    7. Method according to any one of the preceding claims, further comprising the step of modifying all or part of the data determined in the non-avionic system.
    [8" id="c-fr-0008]
    8. Method according to any one of the preceding claims, the predefined time diagram comprising predefined time intervals, comprising time instants and durations, for comparing and / or modifying the data.
    [9" id="c-fr-0009]
    9. A method according to any one of the preceding claims, further comprising the step of receiving an authorization to insert and / or activate in the avionic system the data determined by the nonavionic system and modified if necessary.
    [10" id="c-fr-0010]
    10. Method according to any one of the preceding claims, the storage space being secured by one or more mechanisms selected from the mechanisms comprising data encryption, data integrity control or authentication mechanisms.
    [11" id="c-fr-0011]
    11. Method according to any one of the preceding claims, one or more steps being triggered depending on the flight context.
    [12" id="c-fr-0012]
    12. A computer program product, said computer program comprising code instructions making it possible to carry out the steps of the method according to any one of claims 1 to 11, when said program is executed on a computer.
    [13" id="c-fr-0013]
    13. System comprising means for implementing the steps of the method according to any one of claims 1 to 11.
    [14" id="c-fr-0014]
    14. The system as claimed in claim 13, an avionics type system comprising an FMS flight management system and a nonavionics type system comprising an electronic flight bag EFB or a non-avionics machine interface.
    [15" id="c-fr-0015]
    15. System according to one of claims 13 to 14, the avionics system being a master system and the non-avionics system being a slave system controlled by the master system.
    类似技术:
    公开号 | 公开日 | 专利标题
    FR3067803A1|2018-12-21|SYNCHRONIZATION OF A DUAL AVIONIC AND NON-AVIONIC SYSTEM
    FR3067802A1|2018-12-21|ALTERNATIVE ROAD MANAGEMENT FOR AN AIRCRAFT
    US20200137097A1|2020-04-30|System and method for securing an enterprise computing environment
    FR3046273A1|2017-06-30|OPEN ARCHITECTURE FOR FLIGHT MANAGEMENT SYSTEM
    US10841328B2|2020-11-17|Intelligent container resource placement based on container image vulnerability assessment
    US10691505B2|2020-06-23|Software bot conflict-resolution service agent
    CN103823830B|2017-09-29|Method and system for destroying sensitive information
    US9171167B2|2015-10-27|Methods and systems for use in analyzing cyber-security threats in an aviation platform
    FR3055958A1|2018-03-16|DECISION AID FOR THE REVISION OF A FLIGHT PLAN
    US9804875B2|2017-10-31|Software component and device for the automated processing of multi-purpose data, employing functions requiring different security levels or responsibility limits
    US10991255B2|2021-04-27|Providing an open interface to a flight management system
    US9021479B2|2015-04-28|Enforcing machine deployment zoning rules in an automatic provisioning environment
    US9940466B2|2018-04-10|Computer-implemented command control in information technology service environment
    Bergstra et al.2019|A promise theoretic account of the boeing 737 Max MCAS algorithm affair
    US10373072B2|2019-08-06|Cognitive-based dynamic tuning
    FR3082829A1|2019-12-27|AIRCRAFT MANAGEMENT
    EP3712798B1|2021-07-07|Distributed registers for managing the life cycle of data in aeronautics
    US20190180034A1|2019-06-13|Compliant software component infrastructure deployment
    US10331883B2|2019-06-25|Malicious code avoidance using transparent containers
    US20180152543A1|2018-05-31|Emergency data cutoff for storage systems
    FR3067805A1|2018-12-21|DECISION AID FOR THE CONTROL OF AN AIRCRAFT
    US20200380099A1|2020-12-03|Variable access based on facial expression configuration
    US20220038490A1|2022-02-03|Cybersecurity threat modeling and analysis with text miner and data flow diagram editor
    EP3842962A1|2021-06-30|Method and system for managing data streams for unified governance of a plurality of intensive calculation solutions
    US20210174216A1|2021-06-10|Signaling concept drift during knowledge base population
    同族专利:
    公开号 | 公开日
    US20180365265A1|2018-12-20|
    CN109150954A|2019-01-04|
    FR3067803B1|2020-05-22|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US20120116614A1|2010-11-09|2012-05-10|Lockheed Martin Corporation|Method and apparatus for air traffic trajectory synchronization|
    FR2918349B1|2007-07-05|2009-10-02|Airbus France Sa|SYSTEM FOR DISPLAYING AVIONIC AND NON-AVIONIC APPLICATIONS|
    EP2734905B1|2011-07-22|2019-07-17|Aspen Avionics, Inc.|Avionics gateway interface, systems and methods|
    US8760319B2|2011-11-15|2014-06-24|Honeywell International Inc.|Aircraft monitoring with improved situational awareness|
    US9284045B1|2014-03-28|2016-03-15|Garmin International, Inc.|Connected cockpit system and method|
    FR3020882B1|2014-05-09|2017-12-08|Thales Sa|OPTIMIZING THE TRACK OF AN AIRCRAFT|
    US9126677B1|2014-10-16|2015-09-08|Sydney Robert Curtis|Universal multi-role aircraft protocol|
    FR3029619B1|2014-12-05|2017-10-06|Airbus Operations Sas|MANAGEMENT SYSTEM, ESPECIALLY FLIGHT MANAGEMENT SYSTEM, FOR AN AIRCRAFT.|
    FR3055958B1|2016-09-13|2020-04-24|Thales|DECISION ASSISTANCE FOR THE REVISION OF A FLIGHT PLAN|US10616241B2|2017-06-05|2020-04-07|Honeywell International Inc.|Systems and methods for performing external data validation for aircraft onboard systems|
    US10497267B2|2018-01-23|2019-12-03|Textron Innovations Inc.|Blockchain airspace management for air taxi services|
    US20190243504A1|2018-02-05|2019-08-08|Honeywell International Inc.|Touch screen controller with data exchange and mining service|
    FR3101703B1|2019-10-03|2021-11-26|Thales Sa|AUTOMATIC LEARNING FOR MISSION SYSTEM|
    US20210142681A1|2019-11-13|2021-05-13|Ge Aviation Systems Llc|Method and system for synchronizing a flight management system with an external device|
    CN112261109B|2020-10-16|2021-08-24|中国民用航空华东地区空中交通管理局|Multi-airport time slot exchange system and method based on block chain|
    法律状态:
    2018-12-21| PLSC| Search report ready|Effective date: 20181221 |
    2019-06-03| PLFP| Fee payment|Year of fee payment: 3 |
    2020-05-26| PLFP| Fee payment|Year of fee payment: 4 |
    2021-05-27| PLFP| Fee payment|Year of fee payment: 5 |
    优先权:
    申请号 | 申请日 | 专利标题
    FR1700650A|FR3067803B1|2017-06-16|2017-06-16|SYNCHRONIZATION OF A DUAL AVIONIC AND NON-AVIONIC SYSTEM|
    FR1700650|2017-06-16|FR1700650A| FR3067803B1|2017-06-16|2017-06-16|SYNCHRONIZATION OF A DUAL AVIONIC AND NON-AVIONIC SYSTEM|
    US16/009,118| US20180365265A1|2017-06-16|2018-06-14|Synchronization of a dual avionic and non-avionic system|
    CN201810630575.XA| CN109150954A|2017-06-16|2018-06-19|Aviation electronics is synchronous with non-aviation electronics dual system|
    [返回顶部]